弹簧安全访问来自更深层的UserDetailsS​​ervice

Question

我有以下UserDetailsS​​ervice实现。
到目前为止，身份验证过程运行良好。
如何将我的“MYUSER豆”（即成功登录）存储在“会话”，所以我可以在我的应用

感谢访问它在其他领域。

@Transactional(readOnly = true) 
public class CustomUserDetailsService implements UserDetailsService { 


    private EmployeesApi employeesApi = new EmployeesApi(); 

    /** 
    * Retrieves a user record containing the user's credentials and access. 
    */ 
    public UserDetails loadUserByUsername(String userName) 
      throws UsernameNotFoundException, DataAccessException { 

     // Declare a null Spring User 
     UserDetails user = null; 

     try { 


      MyUser employee = employeesApi.getByUserName(userName); 



      user = new User(
        employee.getUserName(), 
        employee.getPassword().toLowerCase(), 
        true, 
        true, 
        true, 
        true, 
        getAuthorities(1)); 

     } catch (Exception e) { 
      logger.error("Error in retrieving user"); 
      throw new UsernameNotFoundException("Error in retrieving user"); 
     } 


    } 
    .... 

Answer 1

Spring Security已经在会话中为您存储了已认证用户的UserDetails。

因此，存储MyUser在会话中的最简单的方法是实现包含MyUser参考定制UserDetails：

public class MyUserDetails extends User { 
    private MyUser myUser; 
    public MyUserDetails(..., MyUser myUser) { 
     super(...); 
     this.myUser = myUser; 
    } 
    public MyUser getMyUser() { 
     return myUser; 
    } 
    ... 
} 

从你UserDetailsService返回它：

MyUser employee = employeesApi.getByUserName(userName); 
user = new MyUserDetails(..., myUser); 

然后你可以通过安全上下文轻松访问MyUser：

MyUser myUser = ((MyUserDetails) SecurityContextHolder 
    .getContext().getAuthentication().getPrincipal()).getMyUser(); 

在Spring MVC控制器：

@RequestMapping(...) 
public ModelAndView someController(..., Authentication auth) { 
    MyUser myUser = ((MyUserDetails) auth.getPrincipal()).getMyUser(); 
    ... 
} 

在JSP：

<security:authentication var = "myUser" property="principal.myUser" />